Users Searching for Popular Software Targeted by Malicious Advertisers via Google Ads.
There has been a recent discovery of a malicious advertising campaign exploiting Google Ads to redirect users searching for popular software to deceptive landing pages and subsequently delivering payloads for the next stage.
Malwarebytes detected this activity and noted that it is "unique in its way to fingerprint users and distribute time sensitive payloads."
This campaign specifically focuses on users looking for PDF converters and Notepad++ to display fraudulent ads within Google search results . Upon clicking these ads, they filter out bots and unwanted IP addresses by presenting a decoy site.
If the threat actor believes the visitor could be of interest to them, they secretly perform a fingerprinting scan on the system while redirecting the victim to a fake website that advertises the program. This allows them to determine whether the request is coming from a virtual machine.
Users who are unable to pass the check are redirected to the official Notepad++ website, and a possible target is given a one-of-a-kind ID for "tracking purposes, but also to make each download unique and time sensitive."
An HTA payload is the final stage of the malware infection. It is responsible for establishing a connection to a remote domain, in this case, "mybigeye[.]icu," on a user-specified port and serving further software.
"Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims," Jér?me Segura, director of threat intelligence, said in a statement.
领英推荐
"With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads."
This disclosure aligns with a parallel initiative targeting users in search of the KeePass password manager using malicious ads that redirect victims to a domain using Punycode (keepass[.]info vs. eepass[.]info), a specific encoding method that converts Unicode characters to ASCII. This campaign also coincides with a similar effort directed at users searching for the KeePass password manager, employing malicious advertisements to direct victims to a site using Punycode.
"People who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots and anyone not deemed to be a genuine victim," as explained by Segura. "The threat actors have set up a temporary domain at keepasstacking[.]site that performs the conditional redirect to the final destination."
Users visiting the dummy website are deceived into downloading a malicious installer, ultimately leading to the execution of FakeBat, also known as EugenLoader. FakeBat is a loader designed to download additional malicious programs.
The exploitation of Punycode is not entirely novel, but its combination with malicious Google Ads signals an increasing level of sophistication in malicious advertising via search engines. The primary objective of this operation is to carry out a homograph attack, persuading users to download malware by registering domain names that closely resemble reputable websites using Punycode.
"While Punycode with internationalized domain names has been used for years by threat actors to phish victims, it shows how effective it remains in the context of brand impersonation via malvertising," as noted by Segura.
Speaking of visual deception, various threat actors, including TA569 (also known as SocGholish), RogueRaticate (FakeSG), ZPHP (SmartApeSG), ClearFake, and EtherHiding, have been observed exploiting themes involving fake browser updates to propagate Cobalt Strike, loaders, stealers, and remote access trojans. This underscores the persistent and continually evolving nature of these threats.
"Fake browser updates abuse end user trust with compromised websites and a lure customized to the user's browser to legitimize the update and fool users into clicking," a researcher from Proofpoint named Dusty Miller stated in an investigation that was published this week.
"The threat is only in the browser and can be initiated by a click from a legitimate and expected email, social media site, search engine query, or even just navigating to the compromised site."
Great article, Dan. It's alarming to see the level of sophistication that threat actors are achieving in their malicious advertising campaigns. The use of Punycode and the intricate techniques to filter out sandboxes and bots are concerning. It's essential for individuals and organizations to stay informed about these evolving threats and to adopt robust security measures to protect themselves. Your article serves as a valuable reminder of the ever-present cybersecurity challenges we face today
Entrepreneurial Leader & Cybersecurity Strategist
1 年Thank you, Dan, for bringing this crucial issue to our attention. The exploitation of malicious advertising campaigns using Google Ads to deceive users searching for popular software is a troubling development in the realm of cybersecurity. It underscores the need for constant vigilance, not only from cybersecurity professionals but also from everyday users. Your insights into the tactics and techniques used by threat actors are invaluable for our understanding of these evolving cyber threats. It's a stark reminder of the importance of staying informed and taking proactive steps to protect ourselves in this digital age